Scheduled Task Creation via PowerShell Schedule.Service COM Object

Rule Info

Name
Scheduled Task Creation via PowerShell Schedule.Service COM Object
Author
MalGamy (Nextron System)
Description
Detects PowerShell execution using the Schedule.Service COM object to create scheduled tasks. There are straightforward methods to create scheduled tasks using built-in Windows tools such as schtasks.exe or PowerShell cmdlets like New-ScheduledTask. However, threat actors may leverage alternatice method such as the Schedule.Service COM object to create scheduled tasks to bypass detection.
Reference
https://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver
Date
2025-10-21 00:00:00
Modified
None
Id
915af8a8-7db6-4f4c-bc94-0c2ea8353416
Tags
attack.execution attack.t1059.001 attack.t1559.001 attack.persistence attack.t1053.005 attack.privilege-escalation
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022